Flash requests and security

sanekmacros · June 7, 2010, 3:19am

Hi to all!

Anybody works with any flash uploaders? I use Uploadify, but seems it doesn’t matter what kind of one you use.

I need to restrict the upload of the files for all except the authorized users, cause the upload is in admin panel. But I can’t understand why my Yii::app()->user->isGuest checking always return the true. I’m already in admin panel and it returns false for all requests except the flash requests

I don’t know the right way for debug the flash requests, because I truly don’t familiar with flash and in firebug console these requests does not displaying. So for check this I just write some data to new created file.

if ( Yii::app()->user->isGuest ) { file_put_contents(‘1.txt’, ‘true’); }

And unfortunately I always see the true there

Y11 · June 7, 2010, 4:31am

See here. Obviously you have to build a workaround for it to work. Though I know nothing about flash - maybe there’s a much easier solution already.

sanekmacros · June 7, 2010, 6:00am

Thanks for reply.

Do you know the any way for realize it in yii? I tried something like this:

In UserIdentity.php file:


$this->setState('sid', md5(uniqid()));

Then in the index.php view:


<?php $this->widget('ext.uploadify.Uploadify', array(

     'options'=>array(

          ......

          'sessionid'=>Yii::app()->user->sid,

     ),

)); ?>

And in the Uploadify widget view:


'scriptData': {'sessionid': '<?php echo $options["sessionid"]; ?>'},

But if then we check on backend:


if ( $_GET['sessionid'] == Yii::app()->user->sid ) { file_put_contents('c:/1.txt', 'access granted'); }

it doesn’t work. In $_GET[‘sessionid’] we have the right value, but Yii::app()->user->sid variable is undefined and server returns 500 error.

How can I check this workaround otherwise ?

Y11 · June 7, 2010, 6:58am

Put this snippet in your index.php entry-script so the correct session-id can be read from cookie when the session-component gets loaded (means when you access Yii::app()->user->…). Otherwise a new session gets created I guess.




if (isset($_GET['sessionid']))

{

   $_COOKIE['sessionid'] = $_GET['sessionid'];

}

Also you have to submit actual session id here:


<?php $this->widget('ext.uploadify.Uploadify', array(

     'options'=>array(

          ......

          'sessionid'=>Yii::app()->session->id,

     ),

)); ?>

Then just do something like:




if (!Yii::app()->user->isGuest) { file_put_contents('c:/1.txt', 'access granted'); }

sanekmacros · June 7, 2010, 7:38am

But in entry index.php script the $_GET[‘sessionid’] is not defined yet and isset($_GET[‘sessionid’]) will return false. It will be defined only after sending the flash request. So the variable Yii::app()->session->id also undefined, bacause session has not been started.

Y11 · June 7, 2010, 7:58am

Well when you’re on the upload-page, you have a valid session (isGuest == false). Now when you upload, the flash-script sends a request that does NOT include the valid session (isGuest == true). So in order to have the same session that you had on the upload-page, you have to make sure the correct session-id is in $_COOKIE array by copying it from $_GET to $_COOKIE. Now when the session component gets loaded (eg. when accessing isGuest), it reads the correct session id from $_COOKIE and everything should work (accessing Yii::app()->user-> like usual).

That’s how I understood the issue? Did I missed something?

sanekmacros · June 7, 2010, 9:14am

Ok you are completely right.

I tried to debug this all stuff and what I have got:

In entry script AdminModule.php:


print_r($_COOKIE);

if ( isset($_GET['sessionid']) ) {

	$_COOKIE['sessionid'] = $_GET['sessionid'];

	print_r($_COOKIE);

	exit();

}

At beginning the $_COOKIE array:

Array (

 [PHPSESSID] =&gt; 7d9e26be380c4231416f0be8ab24c68f 


 [7f55e9b3eaa2a57e082b26b9513b76cf] =&gt; 10489a60b3f43654b11dfa1f7b11ff0f4ad4e134a:4:{i:0;i:1;i:1;s:5:&quot;admin&quot;;i:2;i:2592000;i:3;a:1:{s:3:&quot;[b]sid[/b]&quot;;s:32:&quot;[b]28bdda54aedef6c270d23ac112d0f300[/b]&quot;;}}

)

28bdda54aedef6c270d23ac112d0f300 is the one value that I want to compare.

Then I send the flash request and get:

Array

(

 [PHPSESSID] =&gt; 612aafe184086cab0cc3e5cb04b28eab

)

Array

(

 [PHPSESSID] =&gt; 612aafe184086cab0cc3e5cb04b28eab


 [sessionid] =&gt; [b]28bdda54aedef6c270d23ac112d0f300[/b]

)

The one thing here I can’t understand is that the first print_r return only PHPSESSID and no desired 7f55e9b3eaa2a57e082b26b9513b76cf . So with what should I compare the $_GET[‘sessionid’] value?

Y11 · June 7, 2010, 9:51am

Currently the default session name ‘PHPSESSID’ is used, but you use ‘sessionid’ in script. Do:




'components' => array(

   ...

   'session' => array(

      'name' => 'sessionid',

   ),

   ...

),

Then make sure that both requests have the same $_COOKIE[‘sessionid’]. Otherwise the whole thing won’t work at all since Yii::app()->user->sid is actually stored in the session.

This is just the auto-login cookie I think:




[7f55e9b3eaa2a57e082b26b9513b76cf] => 10489a60b3f43654b11dfa1f7b11ff0f4ad4e134a:4:{i:0;i:1;i:1;s:5:"admin";i:2;i:2592000;i:3;a:1:{s:3:"sid";s:32:"28bdda54aedef6c270d23ac112d0f300";}}

sanekmacros · June 7, 2010, 10:07am

I change the config how you said:


'session'=>array(

	'sessionName'=>'sessionid',

),

Now $_COOKIE is:

Array

(

[PHPSESSID] =&gt; 7d9e26be380c4231416f0be8ab24c68f


[sessionid] =&gt; d24da0f61ef36d5eb36250bb32e6cd46


[7f55e9b3eaa2a57e082b26b9513b76cf] =&gt; 3a1eadcfcf51df73c808a7bf44a2cd70d5cac5eca:4:{i:0;i:1;i:1;s:5:&quot;admin&quot;; ...cutted...

)

But with flash it works as before and $_COOKIE:

Array

(

[PHPSESSID] =&gt; 612aafe184086cab0cc3e5cb04b28eab

)

Y11 · June 7, 2010, 10:30am

I know you said in a previous post it works, but can you test on the flash-request if $_GET[‘sessionid’] is correctly set? I don’t think that’s the case because the output




Array

(

[PHPSESSID] => 612aafe184086cab0cc3e5cb04b28eab

)

is missing ‘sessionid’ and it should be set by … $_COOKIE[‘sessionid’] = $_GET[‘sessionid’]; …

However, if $_GET[‘sessionid’] is set correctly, remove the snippet from AdminModule and put it in index.php for testing.

sanekmacros · June 7, 2010, 11:12am

Please tell me what should I do after $_COOKIE[‘sessionid’] = $_GET[‘sessionid’]; ?

Y11 · June 8, 2010, 2:10am

On the flash-request, you must make sure $_GET[‘sessionid’] is correctly set. If that’s the case it should get successfully copied to $_COOKIE (as I said please do the copying in the index.php). Then the session component is able to load the same session that you had on the original upload-page. Otherwise a new (empty) session gets created and isGuest will return true of course.

I mean this, put it in index.php just to make sure it gets done as early as possible so everything will work later on:




if (isset($_GET['sessionid']))

{

   $_COOKIE['sessionid'] = $_GET['sessionid'];

}

Before playing around with setState() etc., make sure both requests have the same Yii::app()->session->id.

sanekmacros · June 8, 2010, 7:10am

Thank you very much

Equ · August 15, 2010, 7:21pm

Everything seems good and I’m also using this approach in my application (with YUI Uploader). But how safe is this approach in terms of security?

Thank you!

mech7 · August 16, 2010, 2:45am

Uploadify works with me without anything extra but CSRF is not enabled…

Equ · August 16, 2010, 12:16pm

I know it works But my question was how secure it is to send cookie data through POST request?

Btw, I have cookie validation enabled and thinking about enabling CSRF prevention.

mech7 · August 17, 2010, 11:23am

Withouth CSRF it works with me without cookie data… the sessions stays alive. But i read there are some problems if you use the Suhosin patch in php.

http://www.uploadify.com/forum/viewtopic.php?f=7&t=2585